Download to read offline
![Exodus Intelligence
Vuln Hunting
+0x20c0 – something
+0x20c4 – something
+0x20c8 – char vuln[4096]
+0x30c8 – char foo1[56]?
+0x3100 – short?
+0x3102 – char foo2[x]](https://image.slidesharecdn.com/elvisbluehat2019final-191203213131/85/BlueHat-Seattle-2019-Don-t-forget-to-SUBSCRIBE-43-320.jpg)
![Exodus Intelligence
Exploit Dev
⚫ Gadget 1
⚫ Grants the ability to call a function with 2 arguments
⚫ Gadget 2
⚫ Cheap stack pivot + control of R4-R7
⚫ Gadget 3
⚫ Move the value of R7 [IAT table ptr to strtoul()-4] into R0
⚫ Control of R3-R7
⚫ Gadget 4
⚫ Deref R0+4 into R0. [R0 is now in libc]
⚫ Control of R3-R7](https://image.slidesharecdn.com/elvisbluehat2019final-191203213131/85/BlueHat-Seattle-2019-Don-t-forget-to-SUBSCRIBE-100-320.jpg)
![Exodus Intelligence
Exploit Dev
⚫ Putting it all together
⚫ Spray the heap
⚫ Save the SIDs
⚫ Do not free() the last SID that was saved (roof)
⚫ Free and Replace blocks via UNSUBSCRIBE and
SOAP. [b64(Fake struct + ROPChain + Command)]
⚫ Free 5, Re-occupy 5, Free them again, next 5.
⚫ Watch for multicast traffic and if there’s traffic, occupy
25, free 25, ret.
⚫ Trigger Vulnerability
⚫ Win?](https://image.slidesharecdn.com/elvisbluehat2019final-191203213131/85/BlueHat-Seattle-2019-Don-t-forget-to-SUBSCRIBE-114-320.jpg)
Uploaded byBlueHat Security Conference
BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.
The document discusses vulnerabilities and exploit development for the Greenwave Fios-G1100 device, focusing on techniques such as heap spraying and vulnerability hunting related to UPnP. It provides references to various resources and outlines a potential exploit chain involving gadgets and memory manipulation. Additionally, it mentions the importance of understanding the device architecture for successful exploitation.
More Related Content
Similar to BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.
BlueHat Seattle 2019 || Don't forget to SUBSCRIBE.
- 2.
- 3. Exodus Intelligence Don’t forgettolike and ^
- 4.
- 5.
- 6.
- 7.
- 8.
- 9. Exodus Intelligence GreenWave FiOS-G1100 TDO TCKTMS TDI SRST TRST GND
- 10.
- 11.
- 12.
- 13.
- 14.
- 15.
- 16.
- 17.
- 18.
- 19.
- 20.
- 21.
- 22.
- 23.
- 24.
- 25.
- 26.
- 27.
- 28.
- 29. Exodus Intelligence wps_monitor Not Impactedby ASLRNULL Byte(s)
- 30.
- 31.
- 32.
- 33.
- 34.
- 35. Exodus Intelligence Vuln Hunting somesort of stuct (e.g. thing->buf)
- 36.
- 37.
- 38.
- 39.
- 40.
- 41.
- 42.
- 43. Exodus Intelligence Vuln Hunting +0x20c0– something +0x20c4 – something +0x20c8 – char vuln[4096] +0x30c8 – char foo1[56]? +0x3100 – short? +0x3102 – char foo2[x]
- 44. Exodus Intelligence Vuln Hunting Source:https://github.com/Olipro/VMG1312- B10A/blob/9ae84bc248340f0cb3fb349afffd95a9939a0f02/bcmdrivers/broadcom /net/wl_4.12L08/impl14/router/bcmupnp/include/upnp_type.h
- 45.
- 46.
- 47.
- 48.
- 49.
- 50. Exodus Intelligence Vuln Hunting Source:http://www.upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf
- 51.
- 52.
- 53. Exodus Intelligence Vuln Hunting ObtainPC Control Can’t use wps_monitor as a gadget (‘x00’) ASLR on imported libraries
- 54.
- 55.
- 56.
- 57. Exodus Intelligence Exploit Dev Spraythe heap Do some magic Trigger overflow and get code exec?
- 58.
- 59. Exodus Intelligence Exploit Dev 100* 1024 * 1024 = 0x06400000
- 60. Exodus Intelligence Exploit Dev ⚫Heap base address always loads below 0x03030303
- 61.
- 62.
- 63.
- 64.
- 65.
- 66.
- 67.
- 68. Exodus Intelligence Exploit Dev Heap 0x000xXXXXXXXX 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB
- 69.
- 70. Exodus Intelligence Exploit Dev Growthe heap Do some magic
- 71.
- 72.
- 73.
- 74.
- 75.
- 76.
- 77.
- 78.
- 79.
- 80. Exodus Intelligence Exploit Dev Spraythe heap Do some magic
- 81. Exodus Intelligence Exploit Dev(road-blocks)
- 82. Exodus Intelligence Exploit Dev(road-blocks)
- 83. Exodus Intelligence Exploit Dev(road-blocks) Remember: You can’t build a house without a roof
- 84. Exodus Intelligence Exploit Dev(road-blocks) Heap 0x00 0xXXXXXXXX 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB4KB 4KB4KB4KB4KB4KB4KB4KB4KB 4KB
- 85. Exodus Intelligence Exploit Dev(road-blocks) Heap 0x00 4KB 0xXXXXXXXX 4KB4KB4KB4KB4KB4KB4KB4KB4KB4KB4KB4KB4KB4KB4KB4KB4KB
- 86. Exodus Intelligence Exploit Dev(road-blocks) Heap 0x00 4KB 0xXXXXXXXX 4KB4KB4KB4KB4KB4KB4KB4KB4KB4KB4KB4KB4KB4KB4KB4KB4KB
- 87. Exodus Intelligence Exploit Dev(road-blocks) Heap 0x00 0xXXXXXXXX 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB4KB 4KB4KB4KB4KB4KB4KB4KB4KB
- 88. Exodus Intelligence Exploit Dev(road-blocks)
- 89. Exodus Intelligence Exploit Dev(road-blocks)
- 90. Exodus Intelligence Exploit Dev(road-blocks)
- 91. Exodus Intelligence Exploit Dev(road-blocks)
- 92. Exodus Intelligence Exploit Dev(road-blocks)
- 93. Exodus Intelligence Exploit Dev(road-blocks) Heap 0x00 0xXXXXXXXX 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB 4KB4KB 4KB4KB4KB4KB4KB
- 94. Exodus Intelligence Exploit Dev Spraythe heap Do some magic Dev exploit chain
- 95.
- 96.
- 97.
- 98.
- 99.
- 100. Exodus Intelligence Exploit Dev ⚫Gadget 1 ⚫ Grants the ability to call a function with 2 arguments ⚫ Gadget 2 ⚫ Cheap stack pivot + control of R4-R7 ⚫ Gadget 3 ⚫ Move the value of R7 [IAT table ptr to strtoul()-4] into R0 ⚫ Control of R3-R7 ⚫ Gadget 4 ⚫ Deref R0+4 into R0. [R0 is now in libc] ⚫ Control of R3-R7
- 101. Exodus Intelligence Exploit Dev ⚫Gadget 5 ⚫ Add R3 and R0 and store the result in R0 ⚫ R0 now points to popen() ⚫ Control of R4 ⚫ Gadget 6 ⚫ Store the value of R0 into the heap ⚫ Gadget 7 (aka 1 again) ⚫ Pick up the stored popen() value and call it. ⚫ First arg = cmd to execute ⚫ Second arg = “r”
- 102. Exodus Intelligence Exploit Dev Gadget1 addr: 0x000150F6+1
- 103.
- 104.
- 105. Exodus Intelligence Exploit Dev(road-block)
- 106. Exodus Intelligence Exploit Dev(road-block) http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0552a/BABCAEDD.html
- 107. Exodus Intelligence Exploit Dev(road-block)
- 108. Exodus Intelligence Exploit Dev Gadget2 addr: 0x0001030C+1
- 109. Exodus Intelligence Exploit Dev Gadget3 addr: 0x0001C30E+1
- 110. Exodus Intelligence Exploit Dev Gadget4 addr: 0x0001C2D2+1
- 111. Exodus Intelligence Exploit Dev Gadget5 addr: 0x00014D62+1
- 112. Exodus Intelligence Exploit Dev Gadget6 addr: 0x000257EA+1
- 113. Exodus Intelligence Exploit Dev Gadget7 (1) addr: 0x000150F6+1
- 114. Exodus Intelligence Exploit Dev ⚫Putting it all together ⚫ Spray the heap ⚫ Save the SIDs ⚫ Do not free() the last SID that was saved (roof) ⚫ Free and Replace blocks via UNSUBSCRIBE and SOAP. [b64(Fake struct + ROPChain + Command)] ⚫ Free 5, Re-occupy 5, Free them again, next 5. ⚫ Watch for multicast traffic and if there’s traffic, occupy 25, free 25, ret. ⚫ Trigger Vulnerability ⚫ Win?
- 115.
- 116.
- 117.
- 118.
- 119.
- 120.
- 121.
- 122.
- 123. Exodus Intelligence $whoami ⚫ @b1ack0wl ⚫0day Researcher for Exodus Intelligence ⚫ Focus on embedded devices ⚫ SOHO + Enterprise network devices ⚫ Smart devices ⚫ ...etc
- 124.